On 11/03/2012 08:15 PM, Steve Langasek wrote: > On Sat, Nov 03, 2012 at 03:28:08PM -0500, Michael Shuler wrote: >> After reading the -legal thread, comments above, the CAcert mailing list >> thread, the Fedora explanation, and carefully reading the licensing >> myself, the cautious side of me says the right thing to do is remove the >> CAcert certificates from the package. This change will be committed to >> the collab-maint git repo shortly. > >> I appreciate the bug report, mejiko, and for others taking the time to >> consider this issue. I will consider a ca-certificates-cacert ITP for >> inclusion in non-free. > > Which debian-legal thread were you reading? Because the two comments I see > cc:ed to this bug report from debian-legal, from Francesco Poli and Florian > Weimer, both point out that *certificates are not copyrightable*. An SSL > certificate is a unique representation of a mathematical fact; since it > contains no creative element, copyright law does not provide for any > monopoly rights prohibiting distribution.
There was one other short reply on debian-legal that was not sent to the bug report. (Sorry if I broke the threading, I am not subscribed to debian-legal) I understand that SSL certificates, themselves, are math, and I understand the conclusion that they are not copyrightable. However, I am not fully convinced that, due to this conclusion, the CAcert license has no effect (or whatever the proper legal terminology would be). Among other suggestions, Francesco Poli recommended including a verbatim copy of this license. > The CAcert license is therefore something we should entirely ignore, because > it has no legal force. Is this really the case? Should Debian ignore CAcert's license on their root certificates? Here is my reasoning, distilled as best I can: CAcert has explicitly licensed their root certificates. Even if SSL certificates are not copyrightable, the RDL contains the language: "In the event that any provision of this license is held to be invalid or unenforceable, the remaining provisions of this license remain in full force and effect." This statement, along with the use restriction, in my reading, means that the remainder of the CAcert RDL license is still applicable, as they have intended, regardless of the copyright question. It seems clear from Fedora's decision, as well as Francesco's opinion and Raphael's look (both non-legal opinions, as well as my own), that the use restriction makes the CAcert root certificates licensed under a non-free license. Am I reading and interpreting this incorrectly? If this license should be included in the ca-certificates package, then an interpretation by ftp-master, I assumed, would result in the same opinion. In addition, the Social Contract #1 states that all _components_ (not just copyrightable software) are to be 100% free. That was the kicker that made me think this license applies, regardless of copyrightability. > Your proposal to remove it from the package without > specific legal guidance to the contrary is a gross overreaction. I have spent several sessions, since this bug was reported, carefully reading the RDL license, other licenses, mailing list posts, etc. My (non-lawyer) interpretation of this issue led me to believe that the right thing to do was to remove the CAcerts from this package in main, due to it being licensed under a non-DFSG license. Additionally, including this CA as a non-free package for Debian users seems a reasonable workaround. I'm completely open to additional legal guidance with this, and I hope you can see my logic wasn't just some overreaction - perhaps misguided by trying to do the right thing following policy, I'll admit. Heck, I had no idea an SSL cert could be licensed, but it is clear to me that CAcert has intentionally done just that. -- Kind regards, Michael Shuler
signature.asc
Description: OpenPGP digital signature
